MPU Meeting Thursday 17th October 2019


No activity.

Profile Security

Machines on the develop release are now authenticating their secure profile fetch with GSSAPI. There have been no real problems, except that people who want their scripts to fetch XML profiles will now have to do this using root or admin principals.

Alternate Desktop Platform

Stephen has summarised the state of LCFG components for the Ubuntu platform:

The project will concentrate on desktops - LCFG components only used on servers aren't likely to get attention.

There'll be another project meeting on Monday.

Alastair has been trying the FAI installer (it seems to be the main automated installer for Ubuntu) with a view to using it for our LCFG-configured Ubuntu desktops. He's been finding it awkward, because its packagers seem to have assumed that lots of services - tftp, NFS, etc. - will all be coming from one install server. Stephen suggests unpacking the FAI ISO onto the PXE server and making it available there to see how far we get. Alastair said that the ISO runs as a VM, so he'll try that. Failing that he'll make an Ubuntu server to start us off.

Miscellaneous Development

Stephen has rewritten the Support Form CGIs to make them far more secure. They now query Tartarus instead of the old inventory data.

With this development, he's disabled access to the inventory XML LCFG profile.

Stephen fixed Bug:1169.

Alastair reported Bug:1171.


Stephen has junked hare.

Stephen has upgraded beaver (the Log Cabin server) to 7.6. One sticking point had been the Python Django packages - 7.6 brought a substantially newer version of Django, lacking a lot of the now-deprecated functionality which Log Cabin uses. Stephen has held back the old Django packages on beaver for now. The other sticking point is that Log Cabin uses Python 2. It needs to be rewritten for Python 3 and the latest Django. However for the moment it works. All access is authenticated.

Stephen spotted that amarela hadn't been upgraded to SL 7.6 so did that, and upgraded some NIC firmware on amarela and vermelha.

OpenAFS 1.8.4 is out, bringing lots of fixes and minor improvements. Machines on the develop release are using it. It contains yet more getcwd fixes!

Chris has spotted problems with archlute. He'll schedule a reboot.

We've been resolving lots of RT tickets.

MPU pages have been updated:

The pkgforge builder badger has been reinstalled with more disk, memory and CPUs. This matches the other pkgforge builder and it should mean build jobs no longer timing out.

We still have three KVM server upgrades to schedule.

This Week

  • Alastair
    • Inventory project
      • Start work on final report!
      • Provide details on how Tartarus tables are accessed to Ian D for inclusion in his privileged access discussion paper
      • Produce an Legitimate Interest Declaration and Privacy Statement
        • contains a list of every user and their status
        • records machine to user allocation (with their UUN, cname, sname, user category)
        • records who requests which order (usually just uun, but can be cname+sname)
        • records who makes a change in inventory (just uun)
        • records which informatics location a machine is observed (could track who is using which room, for wire-connected laptops)
        • consider what can be removed once a user has left the University
          • any rows in the 'person' table where 'upstream' is false and where there isn't an 'item' row with a matching 'allocated_to' field should be deleted by a periodic script. Arguably 'category' should be set to NULL where 'upstream' is false?
      • Decommission ordershost
        • Xmas 2019 - delete old ordershot 'nerano'
    • Additional Tartarus work - non project
      • Create an entry in the new Services register once that is in service
      • client report to flag when hyperthreading disabled or not (in CPU report)
      • client report to take 'ipfilter.export'
      • modularise kvmreport so that it can both be used to report by mail and be used as a clientreport module
    • Take a look at RT #78875
      • WON'T LOOK UNLESS A BIG ISSUE (Ask Tom) - Tom asked 16/09/19
    • Look at Stephen's 'Thoughts on shell components'
    • Investigate systemd reboot bug on gaivota and add some more debugging (store tree diff somewhere)
    • drupal username collection re GDPR
      • Perioidically run user expiry script every month until December 2019 and if no problems configure to run automatically
      • Run 16/09/19
    • Meet Tim with Chris to review RAT involvement
    • Look at using php-5.6 on
    • Have a look at how APT / DPKG works, particularly wrt API
    • Look at KVM / host-model issue on oyster (See my actions from 13/03/19)
    • Look at idea of marking KVM guests as disabled (See my actions from 13/03/19)
    • Upgrade girassol (remembering hyperthreading)
    • Check file permissions on tartarus and (can non privileged users access stuff (including backups))
    • Go through non MPU RT tickets

  • Chris
    • User training materials project #403
    • Meet Tim with Alastair to review RAT involvement
    • Delete SL7RT tracker VM
    • Test cross-site KVM cold migration
    • Go through non MPU RT tickets

  • Stephen
    • Take issue of disable per user journald logs on certain servers to OPS
    • Look at where we're using ALL in access.conf
    • Read George's mail of 8th November wrt DPIA
    • clientreport
      • Complete module errors report
      • Add an 'old locks' report
      • 'Old kernels' report
      • Report on core files in / directory
    • Produce an Legitimate Interest Declaration and Privacy Statement for svn history and LCFG profile history
    • Write SL7.6 final report
    • Security week page
    • Upgrade banjo and mandolin (remembering hyperthreading)
    • 'vermelha' -> Distance Learning XRDP server

-- AlastairScobie - 17 Oct 2019

Edit | Attach | Print version | History: r7 < r6 < r5 < r4 < r3 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r4 - 23 Oct 2019 - 08:22:33 - ChrisCooke
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies